GLOBAL PARTNERS LP - (GLP)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

In the ordinary course of our business, we collect and store sensitive data including, without limitation, our proprietary business information and that of our customers, suppliers and business partners, information with respect to potential ventures and transactions, and personally identifiable information of our employees, customers and business partners. Our business is dependent upon our computer systems, devices, software and networks (operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business. We are committed to protecting the confidentiality and integrity of, and access to, our information technology and other business systems, and the personal information of our employees and customers and business data managed, stored and processed on such systems.

With the goal of protecting against and managing cybersecurity threats, we have a cybersecurity risk management program designed to assess, identify, manage and mitigate cybersecurity threats that could adversely and materially affect our business.

We have sought to align our cybersecurity risk management program with our business strategy and integrate our cybersecurity risk management program into our overall risk management strategy and policies and throughout our operations. Our cybersecurity risk management program is comprised of technical and administrative controls, processes, policies and procedures based on applicable laws and industry standards and guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework.

As part of our cybersecurity risk management program, we undertake ongoing cyber risk assessments as part of our efforts to detect, evaluate and respond to potential cybersecurity threats, including regular testing by our internal cyber operations team. We also engage third-party cybersecurity consultants to provide cybersecurity audits, targeted attack testing, cybersecurity threat intelligence and cybersecurity incident response services. We have also implemented a threat hunting program designed to seek out and identify potential cybersecurity threats in our systems. We require all employees and contractors to participate in cybersecurity training designed to enhance their understanding of cyber threats and their ability to identify and escalate potential incidents. Our vulnerability management program is designed to identify, assess, and remediate cybersecurity threats in our systems, such as through penetration testing.

We require all of our third-party information technology vendors to undergo evaluations by our internal data privacy and data security team as part of our efforts to assess, document and mitigate potential cybersecurity threats associated with our use of such vendors and the software, applications and services they provide. In addition, we have implemented measures designed to address the risks associated with the use of industrial control systems to help

57

maintain the reliability and safety of our operations. Our information technology and operational technology disaster recovery program is designed to help maintain the continuity of critical business operations in the event of a disruptive cybersecurity incident through procedures for data recovery, system restoration, and business resumption.

We also have implemented an incident response plan that is designed to facilitate our response to cybersecurity incidents and escalation of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us, to our executive officers, other members of our senior management team and other internal stakeholders. This plan is designed to provide our executive officers and other members of our senior management team with the information needed to assess the materiality of a cybersecurity incident and the need for public disclosure. The incident response plan is tested annually to assess its operational effectiveness. We conduct an annual “tabletop” exercise during which we simulate cybersecurity incidents to help us prepare to respond to a cybersecurity incident and to identify areas for potential improvement. These exercises are conducted in close coordination with members of our internal cybersecurity risk management team, our retained cybersecurity incident response consultants, outside cybersecurity counsel and internal technical, operations, insurance risk management, internal audit and legal personnel, as well as certain executive officers and members of the senior management team.

Governance

We have an internal cybersecurity risk management team consisting of our cybersecurity operations team, cybersecurity engineering team and data privacy and data security team, all reporting to our Chief Information Security Officer (“CISO”). This team is responsible for overseeing cybersecurity threats and assessing and managing material risks from cybersecurity threats.

With over two decades of cybersecurity and information security experience, our CISO leads our cybersecurity risk management team and holds certifications including CISSP, CISA, CISM, and CRISC. Leveraging their cybersecurity experience, knowledge of our company and leadership, our CISO plays an important role in both the strategic development and tactical execution of our cybersecurity risk management program. Our CISO reports to the Chief Information Officer (“CIO”) and regularly consults with our Chief Legal Officer (“CLO”) and other members of the legal team, as well as outside cybersecurity counsel, for strategic and operational input on risk management and compliance with applicable cybersecurity laws and regulations.

We have a management-level cybersecurity committee that has primary responsibility for our overall cybersecurity risk management program and oversees our internal cybersecurity personnel and retained external cybersecurity consultants. The cybersecurity committee includes our Chief Financial Officer, CIO) CLO and our Director of Internal Audit. Our CISO meets with the members of the cybersecurity committee regularly, together with other members of the internal cybersecurity risk management team, to provide updates on cybersecurity issues and risk management activities related to preventing, detecting and mitigating cybersecurity incidents.

Our cybersecurity committee monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents. Our cybersecurity committee also consults with internal and external cybersecurity personnel and threat intelligence, obtains other information from governmental, public or private sources, and communicates with senior management about cybersecurity threats and resources for managing them.

Our Board of Directors (the “Board”) oversees our cybersecurity risk management activities. At least annually, the CISO, CIO and certain other members of the cybersecurity committee report to the Board on the state of our cybersecurity risk program and current and emerging cybersecurity risks. The Board’s Audit Committee has been delegated strategic oversight of our cybersecurity risk management program and the work of the cybersecurity committee and is responsible for providing feedback regarding the cybersecurity risk program, as needed. Any cybersecurity incident deemed to have a moderate or higher business risk is also reported to the Board.

Impacts from Cybersecurity Threats

As of the date of this report, though we and our service providers have been subject to certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to

58

materially affect us. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. See “Item 1A, Risk Factors,” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.